அஸ்ஸலாமு அலைக்கும்.அன்பு தோழர்கள் அனைவரையும் என்னுடைய இணைய தளத்திற்கு வரவேற்கிறேன்.

Saturday, May 9, 2009

Best practice guidelines for information security

Information and Information Technology are critical assets used by any company to achieve its business stated goals. Consequently, it is the responsibility of every person accessing Information Systems to utilize them in an ethical and secure manner.

Please Remember:

1. Safeguarding Information is in everyone’s job description.

2. The biggest component of information S E C U R I T Y is U.

3. Protect your organization, our reputation and your career.

General principles:

1. Prioritize the use of information technology resources to activities related to the group’s business requirements and for the productivity of the organization. Curtail non-priority use of computing resources such as recreational activities and non-business services.

2. Keep yourself up to date with the group’s Information Security Policy

3. Do not provide third parties with any company data without the necessary authorization from your line management who in turn should consider compliance, legal and trade secret regulations.

4. Please remember that the use of computing resources may be subject to monitoring for security and / or systems management reasons.

Here are some other very basic, common sense information security best practices.

Desktops:
These are “Windows” to the group’s information.
Don’t allow others to peek in.

1. Please ensure that you logout or lock your workstation when you move away from your desk especially if your desk is in a public area. A quick shortcut in windows XP to lock the system quickly is to simultaneously use the Windows key and the letter L .

2. Please keep your passwords private. Do not write them on Post It notes on your monitors or store them under your keyboards! That is the first place anyone would look.

3. Never disclose your user name or password to a third party outside the organization. If you think someone might have watched you typing the password change it immediately.

4. Even if you know how to, do not create shares on your systems to share files with colleagues. Shares created without proper security could lead to the compromise of the data or could even be used to host virus infections.

5. Do not allow anyone to use your desktop when you are logged on the computer. If it is an approved requirement make sure that it is with your full supervision. Remember that all actions will be logged against your name making you accountable.

6. Please do not disable any security software like antivirus, anti-spyware protections on your systems. You could be responsible for a virus outbreak that might impact others.

7. The group may restrict your ability to misuse all computing resources by not allowing administrative access, introducing controls like auditing, encryption and security software. In case you have been given more privileges than others due to business need or due to the basic function of your department, you must remember, “with great power comes greater responsibility”.

Internet:
Please remember, they don’t call it the
WORLD WIDE WEB for no reason. The Internet is a fantastic business and information tool, but it also has some very dark and dangerous streets.

1. Please do not use computing services to visit sites that display pornographic material, or sites used for instant messaging, gambling, games, hacker or cracker sites, or other potentially illegal or undesirable material. It is against the responsible computing policy and many of these sites also host malicious software that would secretly be installed on your system.

2. Please do not use the internet to download games, freeware, shareware, VOIP software, toolbars, news tickers or sports tickers. These could contain unknown Trojans that might compromise the security of our systems to outsiders.

3. Please do not publish any material or post professional queries etc on Internet sites without a due diligence of content from the responsible departments within the organization.

4. Please do not engage in any blogging activities that may tarnish the company’s image, reputation and goodwill.

5. Refer to the Internet Usage Policy posted on the Intranet.

Email:
Can’t live with it, cannot live without it !

1. Don’t send emails when you are angry. You will most definitely regret it later. You might even violate the official email usage policy!

2. Please do not open emails from unknown sources. These may contain suspicious email attachments. If you have opened any such mail ensure that you never reply to the sender or click on the “unsubscribe” links as it only confirms your email address to the sender and will invite more junk email.

3. Please do not send chain letters, solicitation, virus hoax messages, jokes, slides with funny pictures using your corporate email. These take up unnecessary resources on the live systems and hog valuable backup space. Additionally the content of such mails may be offensive or unacceptable to individuals or the organization.

4. Official emails sent externally should always be appended by a disclaimer.

5. Please do not mail sensitive official work to your personal email address (yahoo, hotmail, gmail, etc.) There is no guarantee of security of corporate data on these systems.

6. Avoid registering your corporate email address on public personal newsgroups and mailing lists. These will invite more spam and junk mail in our environment.

Software:
There is nothing “soft” about unauthorized software.

1. Do not install any unauthorized software (e.g. from magazines, third party demo CD’s, mp3 music files, personal phone/pda syncing software, freeware etc.) There is no way to determine the impact it might have on the integrity of official systems.

2. Please don’t use illegal movie and music CD’s on official systems. Apart from being illegal, these CD’s may contain virus infected players and other software.

3. Do not try and install any software that you have personally found, which promises to clean up viruses and spy ware on your system. It might do just the reverse.

4. Do not try and install software that was “recommended” by a third party to increase the speed of your system. Again it might just do the reverse.

5. Do not use any application or software that may enable access to the workstation or network remotely, or software’s that could be used for online meeting or presentation. If used improperly these could give outsiders access to our internal systems.

6. Do not use any application or software that may enable access to the workstation or network remotely, or software’s that could be used for online meeting or presentation. If used improperly these could give outsiders access to our internal systems.

Clean Desks, Printers, & Other Devices:
Firstly, save the environment and avoid unnecessary printing!

1. If printing is essential, collect the print-outs immediately from printers and fax machines.

2. Always practice a clean desk policy by keeping notebooks and important papers locked away when not in use.

3. Ensure that access to hardcopy reports containing sensitive data is restricted to authorized recipients only.

4. Shred printed reports and records before disposing them to ensure that they are not in readable state.

5. Confidential information should not be faxed unless necessary and upon approval of the respective department head.

6. Mobile Phones :

a. Employees should avoid using mobile phones in public places for communicating business sensitive information as they can be overheard.

b. Sending a text message, over mobile phone, with business sensitive information should be avoided.

Prepared by:
Chief information Security Officer - STS

Javeed Iqbal


No comments: